Not logged in
Log in now
Create an account
Subscribe to LWN
Pencil, Pencil, and Pencil
Dividing the Linux desktop
LWN.net Weekly Edition for June 13, 2013
A report from pgCon 2013
Little things that matter in language design
Of course they might have got cleartext password as well since they compromised their systems, and that would be a good reason for changing.
8 million leaked passwords connected to LinkedIn, dating website (ars technica)
Posted Jun 7, 2012 22:21 UTC (Thu) by kmself (subscriber, #11565)
It tells the attackers which hashes are of value (e.g.: are used).
Since this hashlist was unsalted, it would also make it possible to compare directly with other unsalted hashes (a too-common occurrence) and determine which hashes were worth attempting to brute force in order to gain access to multiple systems.
I'd strongly recommend changing your password for something long, random, and unique.
Posted Jun 8, 2012 11:15 UTC (Fri) by dps (subscriber, #5725)
Some things are sufficiently important to merit their own password but most don't. You wont find a list of my passwords and where to apply them outside my head but some of those places are easy to guess.
There is no excuse for using plain text or unsalted password hashes. Just because M$ windows uses unsalted plain text equivalent password hashes does not mean you should too.
Posted Jun 8, 2012 11:28 UTC (Fri) by paulj (subscriber, #341)
Your memory does not scale. You can only remember a small number of passwords. So you should use these few passwords only for a few of your most sensitive accounts.
Posted Jun 8, 2012 19:26 UTC (Fri) by dlang (✭ supporter ✭, #313)
Posted Jun 8, 2012 22:03 UTC (Fri) by paulj (subscriber, #341)
Posted Jun 8, 2012 22:13 UTC (Fri) by dlang (✭ supporter ✭, #313)
are you willing to have no access to any of the sites if there is a problem getting to that one server?
Posted Jun 8, 2012 23:25 UTC (Fri) by paulj (subscriber, #341)
Posted Jun 8, 2012 23:28 UTC (Fri) by dlang (✭ supporter ✭, #313)
if someone gets those passwords, they get access to everything.
Posted Jun 8, 2012 23:34 UTC (Fri) by paulj (subscriber, #341)
Posted Jun 8, 2012 23:43 UTC (Fri) by dlang (✭ supporter ✭, #313)
trusting them to not have any insiders who would be interested in your bank's account and passoword, and to keep their systems secure enough to prevent outsiders who are interested in your bank's account and password is something very different.
Yes, I'm one of those paranoid folks who doesn't even let my browser remember passwords locally on my system. :-)
Posted Jun 8, 2012 23:54 UTC (Fri) by paulj (subscriber, #341)
Posted Jun 9, 2012 0:48 UTC (Sat) by martinfick (subscriber, #4455)
Seeing as phishing is a very common theme, having to type your password over and over again makes you very succeptible to it. At least when your browser remembers your password you won't likely accidentaly type it into a phishing site. If your browser remembers the password for you, and you visit what you think is your commonly accessed site, and your browser does not auto populate your password, it should send up red flags in your head: "why does it not remember my password?" Oh perhaps because I misstyped and that isn't really an etrade url!
Posted Jun 11, 2012 8:51 UTC (Mon) by jezuch (subscriber, #52988)
Then don't type the address? Always access the site via bookmarks or maybe rely on the browser's autocompletion (based on bookmarks and/or browsing history). And, of course, never, ever click on links in email.
Posted Jun 9, 2012 15:20 UTC (Sat) by Cyberax (✭ supporter ✭, #52523)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds